Someone Is Slipping A Hidden Backdoor Into Juniper Routers Across The Globe, Activated By A Magic Packet

Someone has been quietly backdooring selected Juniper routers around the world in key sectors including semiconductor, energy, and manufacturing, since at least mid-2023.

The devices were infected with what appears to be a variant of cd00r, a publicly available "invisible backdoor" designed to operate stealthily on a victim's machine by monitoring network traffic for specific conditions before activating.

It's not yet publicly known how the snoops gained sufficient access to certain organizations' Junos OS equipment to plant the backdoor, which gives them remote control over the networking gear. What we do know is that about half of the devices have been configured as VPN gateways.

Once injected, the backdoor, dubbed J-magic by Black Lotus Labs this week, resides in memory only and passively waits for one of five possible network packets to arrive. When one of those magic packet sequences is received by the machine, a connection is established with the sender, and a followup challenge is initiated by the backdoor. If the sender passes the test, they get command-line access to the box to commandeer it.

As Black Lotus Labs explained in this research note on Thursday: "Once that challenge is complete, J-Magic establishes a reverse shell on the local file system, allowing the operators to control the device, steal data, or deploy malicious software."

While it's not the first-ever discovered magic packet [PDF] malware, the team wrote, "the combination of targeting Junos OS routers that serve as a VPN gateway and deploying a passive listening in-memory-only agent, makes this an interesting confluence of tradecraft worthy of further observation."

Juniper did not respond to The Register's inquiries.

Black Lotus Labs said it spotted J-Magic on VirusTotal, and the researchers said the earliest sample had been uploaded in September 2023.

The malware creates an eBPF filter to monitor traffic to a specified network interface and port, and waits until it receives any of five specifically crafted packets from the outside world. If one of these magic packets – described in the lab's report – shows up, the backdoor connects to whoever sent the magic packet using SSL; sends a random, five-character-long alphanumeric string encrypted using a hardcoded public RSA key to the sender; and if the sender can decrypt the string using the private half of the key pair and send it back to the backdoor to verify, the malware will start accepting commands via the connection to run on the box.

"We suspect that the developer has added this RSA challenge to prevent other threat actors from spraying the internet with magic packets to enumerate victims and then simply repurposing the J-Magic agents for their own purposes, as other nation-state actors are known for exhibiting that parasitic tradecraft such as Turla," the lab's threat hunters wrote.

Assuming the attacker successfully completes the challenge, they have full access to the router, leaving the victim organization vulnerable to further compromise.

• Mystery miscreant remotely bricked 600,000 SOHO routers with malicious firmware update
• One of Salt Typhoon's favorite flaws still wide open on 91% of at-risk Exchange Servers
• Ransomware scum make it personal for Reg readers by impersonating tech support
• Don't want your Kubernetes Windows nodes hijacked? Patch this hole now

These victims span the globe, with the researchers documenting companies in the US, UK, Norway, the Netherlands, Russia, Armenia, Brazil, and Colombia. They included a fiber optics firm, a solar panel maker, manufacturing companies including two that build or lease heavy machinery, and one that makes boats and ferries, plus energy, technology, and semiconductor firms.

While most of the targeted devices were Juniper routers acting as VPN gateways, a more limited set of targeted IP addresses had an exposed NETCONF port, which is commonly used to help automate router configuration information and management. 

This suggests the routers are part of a larger, managed fleet such as those in a network service provider, the researchers note.

"We suspect these devices were targeted for their central role in the routing ecosystem," they added. "As routers that are configured with network filters, settings, policies, tracking, and controls, they are valuable as targets for attackers who may want to pivot or persist within an ecosystem."

Black Lotus Labs also published a full list of indicators of compromise, so we'd suggest giving those a read on the security shop's GitHub page. ®